Warakorn - Fotolia

Before tackling secure texting in healthcare, change culture

Experts say that while lip service for secure communications technology is great, the first step is convincing leaders and clinicians to recognize the risks to health data.

While data breaches in the retail and government sectors grabbed the lion's share of headlines last year, hospitals and healthcare systems remain a favorite target of cyberattacks. The reason is simple: the combination of vast amounts of personally identifiable information, along with electronic health records.

That combination makes the health data a potential double bonanza when it comes to successful cyberattack prizes. Without a tight lid on clinician communications and a dedication to secure texting in healthcare, thieves can exploit the risks.

"Healthcare has definitely been a growing target, and that is because of the personalized information available, plus the medical aspect," said Jay Jacobs, a senior data scientist at BitSight Technologies, a company in Cambridge, Mass., that develops security ratings for vendors. Jacobs tracks cybersecurity incidents and data breaches, and stressed that medical claim fraud is big business today.

BitSight publishes an annual report card on how various industries are doing when it comes to protecting data. The IT security research and consulting firm looks at a number of factors around network and data security best practices.

While some sectors -- such as financial services -- are doing fairly well by BitSight's reckoning, others are clearly not. That includes healthcare, which BitSight described as "poorly performing."

Secure texting in healthcare is a tough chore

The healthcare sector is an underachiever at data defense, even though most business and technology leaders today are well aware of the risks of compromised data and cyberattacks.

The answer to this dilemma lays in "the last mile between the health system and the independent provider or the patient home," said Helen V. Thompson, an executive healthcare strategist and co-owner and founder of The Rockwood Group in Huntsville, Ala.

In other words, the lack of secure texting and communications is a primary factor in healthcare data risk. It is also a quick way for a hospital or healthcare organization to find itself in violation of HIPAA compliance, with swift and costly implications (see sidebar).

I have never seen so many ads for chief information security officers in the healthcare space as I have in the past year.
Helen V. Thompsonfounder, The Rockwood Group

"This is a problem that we've been trying to solve for a while now," Thompson said. "Where [healthcare practitioners] don't necessarily have a good strategy or are particularly confident is in their ability to secure that data in a collaborative environment -- say, between an independent physician and the hospital regarding a particular patient, or that critical trilogy of the hospital, the patient and the provider."

The good news is that some healthcare organizations recognize the challenge of secure texting and messaging -- and are trying to do something about it.

"I have never seen so many ads for chief information security officers in the healthcare space as I have in the past year," Thompson said.

Still, one of the challenges with better securing healthcare communications is knowing at which point to start, Thompson said.

"How you secure communications is going to have many different facets because you have to ask, 'Who are you trying to secure communications with?' Is it between patient and physician; nurse to patient; are you doing it for marketing purposes, or for outreach to consumers? And what are you trying to share in that data?" Thompson noted.

Electronic records accumulate data

Concerns over secure communications in healthcare are certainly not lost on Mark A. Jacobs. As CIO at the Delaware Health Information Network, Jacobs' organization deals with most of the health data created within, or routed through, his state.

"In Delaware, we're the only health information exchange [HIE] that exists," he said. "We're unique in some ways because we actually aggregate data from separate organizations and we bring that information into a community health record, which represents the [accumulative] record for pretty much the lifetime of the patient."

Like Thompson, Mark Jacobs said the fear of a data breach or compromised patient data remains a top concern. He also confirms that storing a patient's accumulative data in multiple locations, which can be accessed by multiple parties, presents a top risk. But it is the communication between parties, and the method of that communication, that can be the weakest link in the security chain.

CMS can investigate texting missteps

Insecure communications in healthcare can leave an organization at greater risk for a cyberattack or data compromise. They can also be the fast track to unintentional HIPAA violations and the ensuing consequences.

That was the result at a North Carolina nursing home when a doctor asked a nurse to text a patient's lab results. According to a 2014 blog by North Carolina-based law firm Poyner Spruill, the seemingly innocent request involved SMS messaging that allegedly was not secure, a situation noted by investigators from the federal Centers for Medicine & Medicaid Services (CMS). That agency issued a deficiency report against the facility, meaning that there was "no actual harm, but potential for more than minimal harm," the law firm noted.

CMS gave the nursing home a 10-point corrective plan that had to be completed within 15 days. Among the required steps:

  • Revising the facility's HIPAA policies and procedures and initiating staff training on identity theft risks.
  • Hiring an external contractor to conduct training.
  • Designating a member of staff as HIPAA compliance officer.
  • Reviewing possible losses of personal health information by former employees and creating an action plan to address any such incidents.
  • Notifying all residents and families by letter of the alleged HIPAA violation and outlining what steps the facility was taking to prevent subsequent violations. – D.W.

Let employees know: Text messages come with risk

So what is the healthcare organization to do about the problem? Jay Jacobs, Mark Jacobs and Thompson all agree that the most important first steps to ensure secure texting in healthcare are executive awareness and employee training.

That starts with the blunt notion that SMS communication – the technical term behind text messaging -- is not secure, and it is definitely not HIPAA compliant.

"Everybody owns the responsibility for privacy and security," Mark Jacobs stressed. "You need to keep that in the forefront of everybody's thoughts. It's people, then process and then technology last. If you don't build that into your culture, and you're just buying technology and you think it's going to work for itself, it's not."

Thompson agreed, urging CIOs and CISOs to start at the top and educate hospital executives about:

  • The full extent of risks to the organization's data;
  • Recommendations on how to best secure a multitude of devices accessing that data;
  • Access on a need-to-have only basis; and
  • Applications that keep patient data secure in transmission.

Therefore, the best approach is to target the individuals within the organization that are creating, accessing and sharing patient data in the first place. Make them the first line of defense, she urged.

Next Steps

Agency plans to improve overall mHealth security

Health system creates data dictionary to monitor IoT medical device security

Encrypting communications between headset and audio jack may be crucial

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)